Internet Sellout

Demand Unearned Rewards

Harden IIS Asp.net

Unless you are running ancient IIS asp.net this should apply to most versions.

X-Frame-Options
IIS Manager
HTTP Response Headers
X-Frame-Options SAMEORIGIN
 
HTTP Options
IIS Manager
Request Filtering
HTTP Verbs
OPTIONS False (Deny Verb OPTIONS)

Weak SSL Ciper
IISCrypto.exe third party tool
https://www.nartac.com/Products/IISCrypto/
Just press the 'Best Practices' button and reboot.
 
Autocomplete Enabled on Password Field
Edit ASP.NET Login Pages
Edit login template (may have to turn asp:Login into template to see child controls)
<asp:TextBox ID="Password" runat="server" AutoCompleteType="Disabled" autocomplete="off" TextMode="Password"></asp:TextBox>

You would think AutoCompleteType="Disabled" would do it but ultimately I have no idea what it does.
Thankfully autocomplete="off" gets preserved if you just drop it in.
 
Secure Flag on Cookies
ASP.NET Website web.config
Add these SSL attributes where needed:
<system.web>
 <httpCookies requireSSL="true" />
 <authentication mode="Forms">
  <forms loginUrl="Login.aspx" defaultUrl="Default.aspx" requireSSL="true" />
 </authentication>
 <anonymousIdentification enabled="true" cookieRequireSSL="true" />
 <roleManager enabled="true" defaultProvider="CustomRoleProvider" cookieRequireSSL="true">
    ...    
 </roleManager>
</system.web>


I would have prefered to do this in the root Web.Config to get this to work but I could not.
For development I sometimes use:
<appSettings file="diff\config\AppSettings.config">
and
<connectionStrings configSource="diff\config\Connection.config"/>
in the web.config so I can have a generic web.config for both production and development.
However I would have to develop using SSL from now on to keep using this approach.
Comments are closed